Direct Broadcasting Satellite (DBS) systems have become increasingly popular in many parts of the world. DBS systems transmit the programming content to a geo-synchronous satellite, which broadcasts it back to the customers. In such a wireless broadcast environment, the transmitted programming can be received by anyone with an appropriate receiver, such as an antenna or a satellite dish. Thus, in order to restrict access to a transmitted program to authorized customers, the service provider typically encrypts the transmitted programs and provides the customer with a set-top terminal (STT) containing one or more decryption keys which may be utilized to decrypt programs that the customer is entitled to. In this manner, the set-top terminal receives encrypted transmissions and decrypts the programs that the customer is entitled to, but nothing else.
Piracy is a major problem for DBS service providers. Therefore, the management of the decryption keys is central to the design of such systems. For a more detailed discussion of key management techniques, see, for example, B. M. Macq and J. J. Quisquater, Cryptology for Digital TV Broadcasting, Proc. of IEEE, 83(6), 944-57 (1995). An important aspect of key management is how the keys for the next billing period are downloaded into the customer's STT. Modem DBS systems typically use a "callback" (or "return path") scheme for this purpose, whereby the STT makes a phone call to the service provider once per billing period, authenticates itself, and downloads the new keys.
In many cases, the service providers would like to monitor the location at which their customers install the STTs, and more importantly, to detect when a customer moves his or her STT to a new location. Under certain circumstances, the movement of the STT may be a form of piracy or otherwise unauthorized. For example, a customer in a first country may not be able to legitimately buy a set-top terminal for a service originating in a second country, even though the satellite's signal is received in the first country, due to various financial, political or copyright restrictions. Nonetheless, a "grey market" may result, in which the STTs are bought in the second country and imported (or smuggled) into the first country. Thus, the service provider would like to detect such activities in order to ensure that STTs that are moved to the first country would not function there.
The movement of STTs may be a form of piracy even without crossing international borders. A service provider would also like to restrict the movement of an STT from a customer's residence to a commercial venue such as a theater or a bar (where a subscription is generally more expensive).
Modern telephone switches provide two features for identifying the calling party, namely, the automatic number identification (ANI) feature, which transfers the calling party's identification to another switch, and the calling number delivery (CND) feature, which transfers the calling party's phone number to the callee. Usually, but not always, the ANI and CND contain the same information. The CND feature is commonly known as the "caller ID" feature.
The "caller ID" feature can be enabled and disabled by the caller by dialing certain codes before the number. In contrast, the ANI feature is automatic and cannot be disabled by the caller. This feature is currently used to locate callers to emergency services (such as "911" in the United States). Since a caller's ANI is readily available for calls to toll-free numbers in the United States, many service providers currently use the ANI to obtain the location of the caller. In the following discussion, the popular name "caller-ID" will apply to either ANI or CND. The service provider maintains a database of the phone number(s) of each customer. In this manner, whenever the customer calls the service provider, the service provider can verify that the call is coming from the customer's designated phone number.
The caller ID feature has been utilized to detect STT movement in DBS systems by implementing a caller ID verification of the callback. It is again noted that the STT needs to make a phone call to the service provider at least once every billing period in order to download decryption keys and upload usage information. During this callback, the STT and the service provider run a cryptographic protocol to authenticate both parties, guarantee the integrity of the data, and prohibit eavesdropping. As part of the authentication, the service provider can match the phone number obtained from the caller ID against the number on record for this particular customer's STT, in order to verify that the STT has not moved.
The caller ID feature is an indirect method of detecting the location of the STT, since the caller ID implicitly identifies a phone number with a geographic location. Therefore, the accuracy of the caller ID scheme really depends on the inflexibility of the local telephone company. However, it has been found that obtaining a location by caller ID is not very reliable. For example, a long-range cordless telephone allows the STT to initiate the call up to half a mile away from the phone's base station, which is connected to the phone line at the legitimate location.
In addition, the STT could be moved without the service provider's knowledge by relocating the phone line to a new address without changing the number (so called "number portability"). Currently, local telephone companies could do this as long as the new address is served by the same telephone exchange. More sophisticated attacks can be used to move the equipment even further. For example, if the STT is connected to a private branch exchange (PBX) switch connected to the telephone network, the PBX is responsible for generating the ANI and CND, which are passed to the callee. A pirate can purchase a PC-based PBX, and instruct the PBX to generate legitimate ANI and CND identifiers, although the STT is actually connected to a different telephone line.
As apparent from the above-described deficiencies with conventional techniques for determining the location of a set-top terminal, a need exists for a method and apparatus for determining the location of a set-top terminal where the cost of breaking the system is higher than the benefit.